New PG_MEM Malware Targets PostgreSQL Databases to Mine Cryptocurrency
Summary:
Aqua Security’s threat research team, Nautilus, has uncovered PG_MEM, a sophisticated new malware designed to target PostgreSQL databases. This malware exploits weak passwords by launching brute force attacks, gaining unauthorized access to databases, and delivering malicious payloads, including cryptocurrency mining software. PostgreSQL, commonly used in web, mobile, geospatial, and analytics applications, becomes highly vulnerable due to misconfigurations and insufficient identity controls, which are prevalent in large organizations.
The PG_MEM malware follows a multi-stage attack process. Initially, attackers use brute force techniques to guess the database credentials. Once successful, they create a new superuser role with elevated privileges, ensuring persistent access even if the original credentials are later changed. The attackers then gather system information, such as the PostgreSQL server version and configuration, to identify potential vulnerabilities and tailor the attack. Malicious payloads, including cryptocurrency miners and tools for maintaining persistence, are downloaded from a remote server. The attackers use a temporary table to store code and data, clearing it before and after each command to avoid detection. Once the payloads are deployed, the cryptocurrency mining software starts consuming system resources to mine cryptocurrency.
To ensure the malware continues operating, even after system restarts, attackers establish persistence mechanisms like cron jobs and modify system configuration files. They also take steps to evade detection by deleting files and logs associated with their malicious activities.
Security Officer Comments:
The discovery of PG_MEM sheds light on, ongoing risks associated with misconfigured or poorly secured PostgreSQL environments, particularly in large organizations. The malware's ability to persist and evade detection underscores the importance of robust security measures beyond simple password protection. Given the prevalence of PostgreSQL in critical applications, the potential impact of this malware could be significant, not just in terms of resource consumption due to cryptocurrency mining, but also in exposing sensitive data to theft or further compromise.
Suggested Corrections:
Nautilus researchers have identified 800,000 publicly accessible PostgreSQL instances at risk from this malware. This campaign is exploiting internet facing Postgres databases with weak password. Many organizations connect their databases to the internet, weak password is a result of a misconfiguration, and lack of proper identity controls. This is not a rare issue and many large organizations suffer from these problems. Aqua Security can provide invaluable information concerning vulnerabilities and misconfigurations, but sometimes employees choose weak passwords or a zero-day vulnerability emerges. For this reason you should adopt defense in depth approach which aims to deploy detection and protection mechanisms in various junctions of your software development life cycle in the cloud.
Link(s):
https://hackread.com/pg-mem-malware-postgresql-mine-cryptocurrency/
Aqua Security’s threat research team, Nautilus, has uncovered PG_MEM, a sophisticated new malware designed to target PostgreSQL databases. This malware exploits weak passwords by launching brute force attacks, gaining unauthorized access to databases, and delivering malicious payloads, including cryptocurrency mining software. PostgreSQL, commonly used in web, mobile, geospatial, and analytics applications, becomes highly vulnerable due to misconfigurations and insufficient identity controls, which are prevalent in large organizations.
The PG_MEM malware follows a multi-stage attack process. Initially, attackers use brute force techniques to guess the database credentials. Once successful, they create a new superuser role with elevated privileges, ensuring persistent access even if the original credentials are later changed. The attackers then gather system information, such as the PostgreSQL server version and configuration, to identify potential vulnerabilities and tailor the attack. Malicious payloads, including cryptocurrency miners and tools for maintaining persistence, are downloaded from a remote server. The attackers use a temporary table to store code and data, clearing it before and after each command to avoid detection. Once the payloads are deployed, the cryptocurrency mining software starts consuming system resources to mine cryptocurrency.
To ensure the malware continues operating, even after system restarts, attackers establish persistence mechanisms like cron jobs and modify system configuration files. They also take steps to evade detection by deleting files and logs associated with their malicious activities.
Security Officer Comments:
The discovery of PG_MEM sheds light on, ongoing risks associated with misconfigured or poorly secured PostgreSQL environments, particularly in large organizations. The malware's ability to persist and evade detection underscores the importance of robust security measures beyond simple password protection. Given the prevalence of PostgreSQL in critical applications, the potential impact of this malware could be significant, not just in terms of resource consumption due to cryptocurrency mining, but also in exposing sensitive data to theft or further compromise.
Suggested Corrections:
Nautilus researchers have identified 800,000 publicly accessible PostgreSQL instances at risk from this malware. This campaign is exploiting internet facing Postgres databases with weak password. Many organizations connect their databases to the internet, weak password is a result of a misconfiguration, and lack of proper identity controls. This is not a rare issue and many large organizations suffer from these problems. Aqua Security can provide invaluable information concerning vulnerabilities and misconfigurations, but sometimes employees choose weak passwords or a zero-day vulnerability emerges. For this reason you should adopt defense in depth approach which aims to deploy detection and protection mechanisms in various junctions of your software development life cycle in the cloud.
Link(s):
https://hackread.com/pg-mem-malware-postgresql-mine-cryptocurrency/